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A METHOD AND SYSTEM FOR PROVIDING HARDWARE SUPPORT FOR 
MEMORY PROTECTION AND VIRTUAL MEMORY ADDRESS TRANSLATION FOR 
5 A VIRTUAL MACHINE 



TECHNICAL FIELD 

The present invention relates generally to digital computer systems. More specifically, 
10 the present invention pertains to efficiently implementing support for a virtual machine and 
applications executing within the virtual machine. 

BACKGROUND ART 

Many types of digital computer systems are used to implement virtual machines and 

15 support for applications that execute within virtual machines. Generally, the term "virtual 
machine" refers to a computer system image or process that supports multiple computer 
system images/processes. Each image can contain an operating system and its associated 
applications, or alternatively, each image may have the same operating system or a different 
respective operating systems. Some prior art computer systems are specifically built with 

20 hardware circuits that support virtual machine capability, however, most prior art computer 
systems are configured to support virtual machine entirely through software. These prior art 
solutions are limited in their performance and usefulness due to fact that software support 
requires very slow software based emulation while the hardware support only implements 
primitive early generation processor platforms. Thus what is required is a solution that can 

25 efficiently implement hardware support for full capability virtual machines and applications 
executing within virtual machines. 
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DISCLOSURE OF THE INVENTION 

Embodiments of the present invention provide a method and system for implementing 
hardware support for memory protection and virtual memory address translation for a virtual 
machine. 
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BRIEF DESCRIPTION OF THE DRAWINGS 

The accompanying drawings, which are incorporated in and form a part of this 
specification, illustrate embodiments of the invention and, together with the description, serve 
to explain the principles of the invention: 

5 

Figure 1 shows a diagram of a computer system configured for supporting a virtual 
machine and virtual machine applications in accordance with one embodiment of the present 
invention. 

10 Figure 2 shows a diagram depicting the host machine executing within a first context 

and the virtual machine executing within a second context in accordance with one embodiment 
of the present invention. 

Figure 3 shows a diagram of a virtual memory translation method in accordance with 
15 one embodiment of the present invention. 

Figure 4 shows a diagram of a plurality of entries of a TLB in accordance with one 
embodiment of the present invention. 

20 Figure 5 shows a flowchart of the steps of a process for providing hardware support 

for virtual memory address translation for a virtual machine in accordance with one 
embodiment of the present invention. 

Figure 6 shows a diagram depicting a plurality of control bits as used in embodiments 
25 of the present invention. 
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Figure 7 shows a diagram depicting the hardware support for memory protection for 
the virtual machine operating system in accordance with one embodiment of the present 
invention. 

5 Figure 8 shows a flowchart of a process for providing hardware support for memory 

protection in accordance with one embodiment of the present invention. 

Figure 9 shows a diagram of a computer system in accordance with one embodiment 
of the present invention. 

10 
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DETAILED DESCRIPTION OF THE EMBODIMENTS 

Reference will now be made in detail to the preferred embodiments of the present 
invention, examples of which are illustrated in the accompanying drawings. While the 
invention will be described in conjunction with the preferred embodiments, it will be 
5 understood that they are not intended to limit the invention to these embodiments. On the 
contrary, the invention is intended to cover alternatives, modifications and equivalents, which 
may be included within the spirit and scope of the invention as defined by the appended 
claims. Furthermore, in the following detailed description of embodiments of the present 
invention, numerous specific details are set forth in order to provide a thorough understanding 
10 of the present invention. However, it will be recognized by one of ordinary skill in the art that 
the present invention may be practiced without these specific details. In other instances, well- 
known methods, procedures, components, and circuits have not been described in detail as not 
to unnecessarily obscure aspects of the embodiments of the present invention. 

15 Embodiments of the present invention implement a method and system for providing 

hardware support for virtual memory address translation for a virtual machine. The method 
includes executing a host machine application within a host machine context and executing a 
virtual machine application within a virtual machine context. A plurality of TLB (translation 
look aside buffer) entries for the virtual machine context and the host machine context are 

20 stored within a TLB. Hardware support is provided for virtual memory address translation 
for the virtual machine application by using the cached translations stored in the TLB. 
Additionally, embodiments of the present invention provide hardware support for memory 
protection for the virtual machine application, in addition to the host machine application. To 
implement memory protection, memory protection bits for the plurality of TLB entries are 

25 logically combined to enforce memory protection on the virtual machine application. 
Embodiments of the present invention and their benefits are further described below. 



Notation and Nomenclature 

TRAN-205 5 



6/27/03 



CONFIDENTIAL 

Some portions of the detailed descriptions which follow are presented in terms of 
procedures, steps, logic blocks, processing, and other symbolic representations of operations 
on data bits within a computer memory. These descriptions and representations are the means 
used by those skilled in the data processing arts to most effectively convey the substance of 
5 their work to others skilled in the art. A procedure, computer executed step, logic block, 
process, etc., is here, and generally, conceived to be a self-consistent sequence of steps or 
instructions leading to a desired result. The steps are those requiring physical manipulations 
of physical quantities. Usually, though not necessarily, these quantities take the form of 
electrical or magnetic signals capable of being stored, transferred, combined, compared, and 
10 otherwise manipulated in a computer system. It has proven convenient at times, principally 
for reasons of common usage, to refer to these signals as bits, values, elements, symbols, 
characters, terms, numbers, or the like. 

It should be borne in mind, however, that all of these and similar terms are to be 
associated with the appropriate physical quantities and are merely convenient labels applied to 
these quantities. Unless specifically stated otherwise as apparent from the following 
discussions, it is appreciated that throughout the present invention, discussions utilizing terms 
such as "storing" or "accessing" or "recognizing" or "retrieving" or "translating" or the like, 
refer to the action and processes of a computer system (e.g., system 900 of Figure 9), or 
similar electronic computing device, that manipulates and transforms data represented as 
physical (electronic) quantities within the computer system's registers and memories into 
other data similarly represented as physical quantities within the computer system memories 
or registers or other such information storage, transmission or display devices. 

25 Embodiments of the present invention 

Figure 1 shows a diagram of a computer system 100 configured for supporting 
input/output for a virtual machine in accordance with one embodiment of the present 
invention. As depicted in Figure 1, system 100 shows a processor architecture 1 10, including 
TRAN-205 6 6/27/03 



15 



20 



CONFIDENTIAL 

a CPU hardware unit 101 and micro architecture code 102. A host operating system 120 is 
configured to execute on the platform provided by the processor architecture 1 10. The host 
operating system 120 supports the execution of one or more applications 130 and a monitor 
140. The monitor 140 provides support for the execution of a virtual machine 150 which in 
5 turn supports the execution of one or more virtual machine applications 151. 

The system 100 embodiment implements a method and system for supporting 
input/output for a virtual machine (e.g., virtual machine 150). In the present embodiment, the 
monitor 140 provides the operating environment for the execution of the virtual machine 150 
10 and the one or more virtual machine applications 151. The monitor 140 is supported by the 
host operating system 120. 

The host operating system 120 provides execution resources (e.g., memory, device 
driver support, I/O, and the like) for both the applications 130 and the monitor 140. The host 
operating system 120 operates with a set of host machine page tables to implement virtual 
memory. The host operates system 120 can provide memory protection between the 
applications 130 and the monitor 140 and its virtual machine 150 and virtual machine 
applications 151. In this manner, the data and resources of the components 140-151 are 
generally handled by the host operating system 120 in the same manner as other applications 
130. 

The virtual machine 150 runs within the address space provided by the monitor 140. 
The virtual machine 150 executes within its own context (e.g., within its own address space) 
with respect to other applications 130. Within the virtual machine 150, virtual machine 
25 applications 151 can further define other processes which run within the address space of the 
virtual machine 150. For example, one of the virtual machine applications 151 can be an 
operating system, wherein the operating system allocates and manages processes/address 
space for other virtual machine applications running on top of the virtual machine 150. In this 
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manner, the virtual machine 150 can support its own operating system which subsequently 
supports its own applications, each being provided with memory protection. Similarly, 
multiple virtual machines like virtual machine 150 can be implemented by the monitor 140, or 
by multiple monitor processes, with each virtual machine being provided with its own address 
5 space. 

In the present embodiment, the applications 130 and the monitor 140 typically execute 
within their own respective processes, as provided by the host operating system 120. They 
each have their own respective address spaces. Memory protection and processor cycle 
10 allocation is handled by the host operating system 120. Virtual memory management, 

interrupt allocation, process scheduling, and the like for the applications 130 and the monitor 
140 is handled by the host operating system 120. The host operating system 120 executes 
on top of the processor architecture 1 10. This relationship is depicted in Figure 2 below. 

15 In one embodiment, system 100 of the present invention provides a unique processor 

architecture 1 10 to provide much faster virtual machine performance in comparison to the 
prior art. The system 100 embodiment provides the performance benefits, in part, by 
executing virtual machine application instructions using micro architecture code 102 of the 
processor architecture 1 10. In comparison, whereas some prior art computer systems include 

20 specially built hardware circuits that support virtual machine capability, and whereas other 
prior art computer systems support virtual machine capabilities entirely through software, the 
system 100 embodiment of the present invention utilizes specific attributes of the processor 
architecture 1 10 to realize performance benefits in executing the virtual machine 150. 

25 In one embodiment, the micro architecture code 102 in conjunction with the CPU 

hardware 101 provide a unique processor environment that supports the emulation required to 
implement the virtual machine 150. This unique processor environment is specifically 
configured to execute emulation and translation much faster than prior art processor 
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architectures. This allows the processor architecture 1 10 to provide a fully functional virtual 
machine 150, having all of the attributes of a conventional real machine, that executes much 
faster than the prior art software only approach. 

5 Additionally, the virtual machine 150 is a fully functional virtual machine. For 

example, embodiments of the virtual machine 150 have full support for interrupts, 32-bit 
memory addressing, virtual memory management, protected memory, and the like, in 
comparison to the limited capabilities provided by prior art hardware based virtual machine 
support (e.g., 8086 virtual mode, etc.). Thus the system 100 embodiment of the present 
10 invention provides a solution that can efficiently implement support for full featured virtual 
machines and the applications executing within the virtual machines. 

In one embodiment, the processor architecture 1 10 is specifically configured to 
implement a translation and emulation process. For example, depending upon the specific 

15 requirements of a particular implementation, non-native target applications (e.g., x86 
applications) are emulated and translated using native micro architecture code 102 (e.g., 
VLIW code). The CPU hardware 101 executing the micro architecture code 102 can be a 
VLIW (very long instruction word) CPU hardware unit. In such an implementation, the 
VLIW instructions would be configured to efficiently feed multiple pipeline front ends of the 

20 CPU hardware 101 to achieve maximum concurrency and parallelism. In such an 

embodiment, the micro architecture code 102 can be used to implement specialized "code 
morphing software" (CMS) to support the efficient execution of the non-native target 
instructions on the CPU hardware 101. A basic diagram of such a processor architecture is 
shown in Figure 5 below. Additional descriptions of processor architectures implementing 

25 translation can be found in commonly assigned United States Patent 5,958,061, HOST 

MICROPROCESSOR WITH APPARATUS FOR TEMPORARILY HOLDING TARGET 
PROCESSOR STATE, which is incorporated herein in its entirety. 
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Figure 2 shows a diagram depicting a virtual machine monitor 140 executing within a 
first context 201 and the virtual machine 150 (including, for example, a virtual machine 
operating system 151) executing within a second context 202. Both contexts 201-202 
execute on top of the processor architecture 110. 

5 

In the present embodiment, as described above, the machine monitor 140 operates as 
its own context with respect to the virtual machine 150. Generally, threads executing within 
the host machine's context 201 have access to each other's memory addresses. Similarly, 
threads executing within the virtual machine's context 202 have access to each other's memory 
10 addresses. In the present embodiment, virtual memory management is handled by the host 
operating system, the host operating system 120. Thus, processor resources, data files, 
interrupt scheduling, and the like for the other processes (including the virtual machine 150) 
executing on the processor architecture 1 10 are managed through the host operating system 
120. 

15 

The virtual machine 150 can execute its own virtual machine operating system and 
manage its own virtual memory on top of the processor resources, data files, interrupt 
scheduling, process scheduling, and the like provided by the host operating system 120. In 
this manner, the virtual machine 150 can function as its own self-contained computer system, 
20 and appears as its own computer system to the applications that execute on top of the virtual 
machine operating system 151 (e.g., other virtual machine applications 151 shown in Figure 
1). 

Thus, for example, in one embodiment, the virtual machine 150 can execute a 
25 Microsoft Windows ™ compatible operating system, complete with virtual memory, etc., 
within the context 202, while the real machine 100, also referred to as the host machine, 
executes, for example, a Linux® operating system, or the like. 
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Embodiments of the present invention provide for a much faster execution of the 
virtual machine 150 in comparison to the prior art. The system 100 embodiment implements 
hardware support for virtual memory address translation for the virtual machine 150. This 
provides much faster virtual machine execution in comparison to the prior art, where software 
5 only routines are required to manage virtual address translation of the virtual machine 150. 
Embodiments of the present invention utilize the address translation hardware of the 
processor architecture 110 and the computer system to accelerate physical address lookups 
for virtual memory addresses. This processes shown in Figure 3 below. 

10 Figure 3 shows a diagram of a virtual memory translation method in accordance with 

one embodiment of the present invention. As depicted in Figure 3, a virtual address space 202 
of the virtual machine 150 is shown with respect to a virtual address space 310 provided for 
use by the virtual machine monitor 140 by the host operating system 120, and the physical 
address space 300 of the computer system (e.g., computer system 900 of Figure 9). 

15 

As described above, a host operating system 120 executes on the host machine 100 
and manages the virtual address space of the host machine. This is depicted in Figure 3 as the 
address space 201 using a host machine page table 31 1 to map to the physical addresses 300 
of the computer system, as shown by lines 303-304. 

20 

A TLB 340 is used to cache a subset of the translations from the virtual address space 
201 to the physical addresses 300. As is well known, when a TLB "hit" occurs, the physical 
address translation is rapidly returned by the TLB since the virtual address to physical 
address translation is stored as an entry in the the cache. This is shown by lines 342-343. 
25 When a TLB miss occurs, the host machine page table 311 must be "walked" in order to find 
the virtual address to physical address translation (e.g., lines 303-304). 
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In the present embodiment, entries within the TLB 340 for the host machine virtual 
address space 201 include a context identifier (here referred to as CID A) that identifies the 
entry as one from the host machine's virtual address space 201. Similarly, entries within the 
TLB 340 for the virtual machine virtual address space 202 include a context identifier (here 
5 referred to as CID B) that identifies the entry as one from the virtual machine's virtual address 
space 202. This allows the TLB 340 to accelerate translations between the virtual machine 
virtual address space 202 and the physical addresses 300. This is shown by line 341 and line 
343. 



10 Thus, TLB 340 provides hardware support for virtual address translations for both the 

virtual machine virtual address space 202 and the host machine virtual address space 201 to 
the physical addresses 300. In accordance with embodiments of the present invention, the 
TLB 340 includes entries having respective context identifiers for both the virtual machine 
virtual address space 202 and the host machine virtual address space 201. By using a single 

15 TLB 340 in the manner described above, embodiments of the present invention greatly 

accelerate the execution of the virtual machine 150 in comparison to the prior art. In the case 
of a TLB hit, the virtual machine virtual address 202 to physical address 300 translation is as 
fast as the host machine virtual address 201 to physical address 300 translation. 



20 When a TLB miss occurs during a virtual machine virtual address translation, a 

conventional page table walk is executed. The virtual machine page table 321 is walked to 
obtain a host machine virtual address corresponding to a virtual machine virtual address (e.g., 
lines 301-302). If another TLB miss occurs, where this obtained host machine virtual address 
is not in the TLB 340, the host machine page table 3 1 1 is walked to obtain the corresponding 

25 physical address (e.g., lines 303-304). 
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Generally, the TLB 340 caches the most recent address translations. Thus, TLB 
misses usually result in the entries of the TLB 340 being updated with the more recent 
address translations. 

5 Figure 4 shows a diagram of the entries of the TLB 340 in accordance with one 

embodiment of the present invention. An example wherein 32-bit addresses 401 are used is 
shown. However, it should be noted that embodiments of the present invention are not limited 
to any particular 32-bit addressing configuration. For example, embodiments of the present 
invention are equally applicable to 16-bit, 64-bit, etc. types of addressing configurations. 

10 Similarly, although the tags with which the TLB is indexed are shown as being 20 bits in 
length, embodiments of the present invention are equally applicable to other configurations. 
In the example shown in Figure 4, the size of each page is 2 1 2 bytes (typically corresponding 
to the lower 12 bits of an address) and the tag size is 20 bits (typically the upper 20 bits of the 
address) plus the size of the CID. Figure 4 also depicts attribute bits (sometimes referred to 

15 as control bits) appended to the data portion of each entry as shown. 

Generally, with virtual addresses comprising incoming 32-bit data words as shown, 
the most significant 20 bits (the page name) comprise a tag and are used to search the "x" 
number of entries of the TLB (e.g., 48 entries, 96 entries, or more) for tag matches. The least 

20 significant 12 bits of the incoming virtual address indicate which byte of a page is addressed 
and become the least significant 12 bits of the physical address, as shown. In the present 
embodiment, the context identifier (CID) is part of the tag. Additionally, various 
control/attribute bits can optionally be included with the 20 bits of data of the physical 
address. The output of the TLB is the most significant 20 bits of the physical address, 

25 sometimes referred to as the page frame address, plus the control/attribute bits. 

Referring now to Figure 5, a flowchart of the steps of a process 500 for providing 
hardware support for virtual memory address translation for a virtual machine is shown. 
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Process 500 is below described with reference to the system 100 diagram depicted in Figure 
3. 



Process 500 begins in step 501, where a host machine operating system is instantiated 
5 and begins executing within a host machine context (CID A). In step 502, a virtual machine 
operating system is instantiated and begins executing within a virtual machine context (CID 
B). In step 503, a plurality of TLB entries are stored within the TLB 340 for both the virtual 
machine context and the host machine context. The storing is conducted by the memory 
management hardware of the processor architecture (e.g., processor architecture 1 10) and the 
10 computer system architecture (e.g., computer system 900). As described above, the entries of 
the TLB 340 include context identifiers that indicate the context a particular entry belongs to. 
The host operating system executes within the host machine context, in this case CID A, while 
the virtual machine operating system executes within the virtual machine context, CID B. The 
context identifiers allow entries from both contexts to share the common TLB cache. 

15 

In step 504, a host machine virtual memory address space 201 is maintained using a 
host machine page table 311. In step 505, a virtual machine virtual memory address space 
202 is maintained using a virtual machine page table 321. As described above, the page tables 
311 and 321 allow the respective operating systems to maintain memory protection for 
20 multiple processes executing on top of them. Thus, the host operating system 120 can 

maintain memory protection for other applications besides the virtual machine that execute on 
top of it (e.g. the applications 130). Similarly, the virtual machine operating system can 
maintain memory protection for the applications that execute on top of the virtual machine 
(e.g., virtual machine 150). 

25 

In step 506, one or more virtual machine applications are executed and provide their 
application functionality to the user. The virtual machine applications execute on top of the 
virtual machine 150 and update the state data of the virtual machine 150. In the present 
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embodiment, input and output with the user is managed through the host operating system. 
Access to computer system resources, such as device drivers and the like, is also managed 
through the host operating system. To the user, support for the virtual machine applications 
occurs transparently, and the virtual machine applications function as if they were running on 
5 their own dedicated real machine. 

In step 507, virtual addresses 202 of the virtual machine 150 are translated into 
physical addresses 300 by the TLB 340. In accordance with embodiments of the present 
invention, this hardware supported translation greatly increases the execution speed of the 
10 virtual machine applications. So long as the virtual addresses are contained within the TLB 
340, execution of the virtual machine applications continues as indicated in step 506. In the 
case of a virtual machine context TLB miss, process 500 proceeds to step 508 where the 
virtual machine page table 321 is walked to obtain the corresponding host machine virtual 
address 201. 

15 

In step 509, the obtained host machine virtual address is checked against the TLB 340. 
If the host machine virtual address is in the TLB 340, the corresponding physical address is 
retrieved and virtual machine application processing continues as indicated by step 506. In 
the case of a host machine context TLB miss, process 500 proceeds to step 510 where the 

20 host machine page table 31 1 is walked to obtain the corresponding physical address 300. As 
in step 508, once the corresponding physical addresses obtained, the execution of the virtual 
machine applications can continue. Additionally, as TLB misses occur, the entries of the TLB 
340 can be updated to contain the more recent virtual address to physical address translations 
for both the host machine context (CID A) and the virtual machine context (CID B). In this 

25 manner, embodiments of the present invention implement a method and system for providing 
hardware support for virtual memory address translation for a virtual machine. 
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Figure 6 shows a diagram depicting a plurality of control bits 601 as used in 
embodiments of the present invention. As depicted in Figure 6, the control bits 601 include a 
dirty bit indicator, or dirty bit, 620, and a read/write bit indicator, R/W bit 630. 

5 Embodiments of the present invention provide hardware support for memory 

protection in addition to providing hardware support for virtual memory address translation 
for a virtual machine. In one embodiment, this is accomplished by using the control bits 601 
of the various TLB entries (e.g., the "x" entries of the TLB depicted in Figure 4) to convey 
memory protection information to both a virtual machine application and a host machine 

10 application. Thus, for example, in a manner similar to the way the plurality of bits comprising 
the CID 610 describe the context to which the TLB entry belongs, control bits can be used to 
describe read or write protections accorded to the TLB entry. In the embodiment depicted in 
Figure 6, the read/write bit 630 and the dirty bit 620 are used to indicate read and write 
protections for a given TLB entry. Figure 6 also shows the logic used where write protection 

15 is enabled or disabled by the computer system using the read/write bit 630 and a dirty bit 620. 

As known by those skilled in the art, is important that memory protections afforded by 
a host operating system are respected by other applications that execute on the machine. For 
example, read and/or write protections afforded to a given virtual address need to be respected 

20 by other applications, otherwise memory corruption can result. The problem involves the fact 
that in some circumstances (e.g., as in a case where the virtual machine application is an 
operating system), the virtual machine application executing within the virtual machine 
manipulates virtual addresses and may choose to disable read/write protection enforcement. 
Disabling such protection inside the virtual machine must not affect the host operating 

25 system. 



One embodiment of the present invention utilizes the functioning of the dirty bit 620 
to solve the above described memory protection problem. In such embodiment, since the dirty 
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bit 620 is observed and respected by operating systems executing in both the virtual machine 
context and the host machine context, the dirty bit 620 is used to enforce memory protection 
on the virtual machine operating system, or other virtual machine applications. In the 
embodiment shown in Figure 6, when write protection is enabled and upon the assertion of a 
5 write signal (is_write), the improper use of the read/write bit 630 will signal a write fault and 
the improper use of the dirty bit 620 will cause a trap to microarchitecture code (e.g., to handle 
the situation). The microarchitecture code will typically re-walk the page table and therefore 
determine the location and nature of the fault. 

10 Figure 7 shows a diagram depicting the hardware support for memory protection for 

the virtual machine operating system in accordance with one embodiment of the present 
invention. As depicted in Figure 7, two virtual addresses 721 and 722 are shown. A real 
machine (e.g., host machine) operating system 720 is shown and a virtual machine operating 
system 750 shown. 

15 

As described above, in one embodiment, the functioning of the dirty bit, in this case 
dirty bit 703 and dirty bit 705, is used to enforce memory protection. In the present 
embodiment, the control bit inputs from the host machine page table 311 and the virtual 
machine page table 321 are logically combined using a logical AND operation 740 to 

20 determine the state of the dirty bit 705 for the virtual machine virtual address 722. For 
example, through its normal operation, the host machine page table 311 will determine the 
state of the read/write bit 702 and the dirty bit 703. The bits 702-703 are logically combined 
with the dirty bit input 732 from the virtual machine page table 321 using the operator 740. 
This results in the dirty bit 705, which is stored in the virtual address 722. The read/write 

25 input 731 is directly stored within the virtual address 722 as the read/write bit, as shown. 

Thus, although the virtual machine operating system 750 may not respect read/write 
inputs from the real machine operating system 720, the virtual machine operating system 750 
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will respect dirty bit states set by the real machine operating system 720. For example, the 
dirty bit input 732 from the virtual machine page table 321 and the read/write bit 702 and the 
dirty bit 703 from the real machine page table 311 must all be asserted (e.g., asserted high) in 
order for the dirty bit 705 to be asserted. If the dirty bit 705 is asserted, the address 722 can 
5 be safely written to by the virtual machine operating system 750 or by any of its applications 
(e.g., the applications 151 of Figure 1), otherwise, the address 722 is protected and cannot be 
written to by the virtual machine operating system 750 or any of its applications. 



Figure 8 shows a flowchart of a process 800 for providing hardware support for 
10 memory protection in accordance with one embodiment of the present invention. As depicted 
in Figure 8, process 800 shows the steps involved in providing memory protection for a 
virtual machine operating system and host machine operating system. 



Process 800 begins in step 801, where a host machine operating system is instantiated 
15 and executed in a host machine context (CID A). In step 802, a virtual machine operating 
system is instantiated and executed in a virtual machine context (CID B). In step 803, a 
plurality of TLB entries for the virtual machine context and the host machine context are 
stored within the TLB. In step 804, process 800 of the present embodiment accesses memory 
protection bits for TLB entries from the host machine operating system and logically 
20 combines them with memory protection bits from the virtual machine operating system to 

generate the appropriate memory protection bits to enforce memory protection. As described 
above, although the virtual machine operating system (e.g., virtual machine operating system 
750) may not respect read/write protections from the real machine operating system (e.g., real 
machine operating system 720), the virtual machine operating system 750 will respect dirty bit 
25 states set by the real machine operating system 720. Subsequently, in step 805, memory 

protection is enforced on the virtual machine operating system using the generated control bits 
for the TLB entries. 
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Computer System Platform 

With reference now to Figure 9, a computer system 900 in accordance with one 
embodiment of the present invention is shown. Computer system 900 shows the general 
components of a computer system in accordance with one embodiment of the present 
5 invention that provides the execution platform for implementing certain software-based 

functionality of the present invention. As described above, certain processes and steps of the 
present invention are realized, in one embodiment, as a series of instructions (e.g., software 
program) that reside within computer readable memory units of a computer system (e.g., 
system 900) and are executed by the CPU 901 of system 900. When executed, the 
10 instructions cause the system 900 to implement the functionality of the present invention as 
described above. 

In general, system 900 comprises at least one CPU 901 coupled to a North bridge 902 
and a South bridge 903. The North bridge 902 provides access to system memory 915 and a 
15 graphics unit 910 that drives a display 91 1 . The South bridge 903 provides access to a 
plurality of coupled peripheral devices 931 through 933 as shown. Computer system 900 
also shows a BIOS ROM 940 that stores BIOS initialization software. 

The foregoing descriptions of specific embodiments of the present invention have 
20 been presented for purposes of illustration and description. They are not intended to be 
exhaustive or to limit the invention to the precise forms disclosed, and obviously many 
modifications and variations are possible in light of the above teaching. The embodiments 
were chosen and described in order to best explain the principles of the invention and its 
practical application, to thereby enable others skilled in the art to best utilize the invention and 
25 various embodiments with various modifications as are suited to the particular use 

contemplated. It is intended that the scope of the invention be defined by the claims appended 
hereto and their equivalents. 
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